Regenerate TLS Keys and Certificates

When an EC2 (Amazon's Elastic Compute Cloud) instance is stopped and started again, a new hostname is assigned to the instance. New TLS certificates need to be generated to match the new hostnames. The following covers how to Regenerate TLS Keys and Certificates and also how to Regenerate EJBCA SuperAdmin Keystore, which is useful if you lose the SuperAdmin keystore, or if it expires.

Regenerate TLS Keys and Certificates

EJBCA

The following describes how to generate new TLS certificates on the EJBCA Cloud instance. For more information, refer to the AWS TLS Certificate Generation Guide and Azure TLS Certificate Generation Guide.

  1. SSH to the EJBCA server instance. For example:

    ssh -i ~/.ssh/your-public-key.pem ec2-user@ec2-13-48-137-48.eu-north-1.compute.amazonaws.com
  2. Run the following commands to generate new certificates:

    # sudo su -
    # cd /opt/PrimeKey/support
    # ./new_tls_cert.sh -p

SignServer

The following describes how to generate new TLS certificates on the SignServer Cloud instance. For more information, refer to the AWS TLS Certificate Generation Guide.

To generate new TLS certificates:

  1. SSH to the EJBCA instance. For example:

    ssh -i ~/.ssh/your-public-key.pem ec2-user@ec2-13-48-137-48.eu-north-1.compute.amazonaws.com
  2. Run the following commands to get elevated privileges and change to the correct directory:

    # sudo su -
    # cd /opt/PrimeKey/support
  3. Execute the script create_ra_tls_certs.sh with the DNS and IP information for the SignServer server instance, specifying the external DNS, internal DNS, external IP, and internal IP according to the following example:

    # ./create_ra_tls_certs.sh -d ec2-13-48-31-155.eu-north-1.compute.amazonaws.com -d ip-172-16-2-38.ec2.internal -i 13.48.31.155 -i 172.16.2.38
  4. Copy the generated PEM files from /home/ec2-user/pem/ on the EJBCA instance to /etc/httpd/ssl on the SignServer instance.
    Note that it is also possible to use a third-party program to copy the files from server to server.

    mkdir signserverpem

    From EJBCA:

    scp -i ~/.ssh/your-public-key.pem ec2-user@ec2-13-48-137-48.eu-north-1.compute.amazonaws.com:/home/ec2-user/pem/* signserverpem/.

    To SignServer:

    scp -i ~/.ssh/your-public-key.pem signserverpem/* ec2-user@ec2-13-48-31-155.eu-north-1.compute.amazonaws.com:. 
  5. SSH to the SignServer instance:

    ssh -i ~/.ssh/your-public-key.pem ec2-user@ec2-13-48-31-155.eu-north-1.compute.amazonaws.com

    On SignServer:

    cp *.pem /etc/httpd/ssl/.
    cp *.key /etc/httpd/ssl/. 
  6. Restart the Apache service:

    # sudo -i
    # systemctl restart httpd

Regenerate EJBCA SuperAdmin Keystore

The following describes how to generate a new superadmin keystore which is useful if you lose the superadmin keystore, or if it expires.

To generate a new superadmin keystore using the CLI:

  1. Renew superadmin certificate:

    # cd /opt/ejbca
    # bin/ejbca.sh ra setendentitystatus superadmin 10
    # bin/ejbca.sh ra setclearpwd superadmin password
    # bin/ejbca.sh batch
  2. Copy the  /opt/ejbca/p12/superadmin.p12 to local server and import it in your browser (using password: password):

    # scp -i /route/to/your/pem-file.pem ec2-user@ec2-13-53-44-197.eu-north-1.compute.amazonaws.com:/opt/ejbca/p12/superadmin.p12 /directory/you/want-to/download
  3. Verify that you can access EJBCA Adminweb with the new superadmin certificate.